fix: address PR review feedback for passwordless UI

- Escape auth.provider in HTML to prevent XSS (A1)
- Add aria-label to remove-password confirm input (A2)
- Show user-facing error when auth methods fail to load (A3)

Author: devondragon

src/main/resources/static/js/user/webauthn-manage.js

@@ -283,7 +283,7 @@ async function updateAuthMethodsUI() {
             badges += `<span class="badge bg-success me-2"><i class="bi bi-key me-1"></i>Passkeys (${auth.passkeysCount})</span>`;
         }
         if (auth.provider && auth.provider !== 'LOCAL') {
-            badges += `<span class="badge bg-info me-2"><i class="bi bi-cloud me-1"></i>${auth.provider}</span>`;
+            badges += `<span class="badge bg-info me-2"><i class="bi bi-cloud me-1"></i>${escapeHtml(auth.provider)}</span>`;
         }
         badgesContainer.innerHTML = badges;
 
@@ -306,6 +306,10 @@ async function updateAuthMethodsUI() {
         }
     } catch (error) {
         console.error('Failed to update auth methods UI:', error);
+        const section = document.getElementById('auth-methods-section');
+        if (section) {
+            section.innerHTML = '<div class="alert alert-warning">Unable to load authentication methods.</div>';
+        }
     }
 }
 

src/main/resources/templates/user/update-user.html

@@ -78,7 +78,7 @@ <h5 class="modal-title" id="removePasswordModalLabel"><i class="bi bi-exclamatio
 							<div class="modal-body">
 								<p>You are about to remove your password. After this, you will only be able to sign in using your passkeys.</p>
 								<p class="mb-2"><strong>Type REMOVE to confirm:</strong></p>
-								<input type="text" id="removePasswordConfirmInput" class="form-control" placeholder="Type REMOVE">
+								<input type="text" id="removePasswordConfirmInput" class="form-control" placeholder="Type REMOVE" aria-label="Type REMOVE to confirm">
 								<div id="removePasswordError" class="form-text text-danger d-none mt-1"></div>
 							</div>
 							<div class="modal-footer">